Analysis Overview
SHA256
e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566
Threat Level: Known bad
The file e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.bin was found to be: Known bad.
Malicious Activity Summary
Cerberus payload
Alienbot
Cerberus
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-04 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
android-x86-arm-20230831-en
Max time kernel
4239842s
Max time network
148s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json | N/A | N/A |
| N/A | /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
com.swift.wrap
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/x86/pFFJk.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| GB | 216.58.208.106:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.133.18:443 | jsonplaceholder.typicode.com | tcp |
| NL | 172.217.168.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
Files
/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 0219b6d26de9a569780bfc32d089ad79 |
| SHA1 | 9fceddb0f5081cc5766c9d45960d7a1a15ff68fe |
| SHA256 | 61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9 |
| SHA512 | a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e |
/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 3f3a4f6cd15e01e61d5661f8331c0a34 |
| SHA1 | 51c652dac5a7e722e80abff83ee2be3f964d789d |
| SHA256 | f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275 |
| SHA512 | f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8 |
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 3eb1657245e2ca6c42bbeafacf31f02a |
| SHA1 | b6b5ab7a1d86a3aca95133cda391d8e7cae42fae |
| SHA256 | 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2 |
| SHA512 | 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767 |
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 41e439e3c62b9885f1dbd5934dde2949 |
| SHA1 | 73ded2dacfe908dc8ed08a3535d0111d712501a3 |
| SHA256 | 5aae4163bcb5869a98f0fd358726b42076b58b30db4ee0e24951952a2ad8a6a0 |
| SHA512 | e5b47ba9910f9ab6ded461dfc33dabe65d7ee2b6cdfced599c6ca126a4786391492ef514435e567e522932fac27bb425f1a54b7ca9ba8e2933e7d6d1e490a9a2 |
/data/data/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof
| MD5 | b31f0f9fb507566ff3910a34e79f1911 |
| SHA1 | 2b8b557514c2e70da52b84ddb9d44e1ffd0d9d6b |
| SHA256 | 49b5f8f9f4c677a27fbf697a74c3420f50d4b6bc0a593acd5d8e63e5622b7b5d |
| SHA512 | 13dc191c41c96872dad603a82726aaa8179bd62bb361cb184bb54f1600a4349b5bcc58e57aa8ad33ea227f7cf52eceee96c397238a4b6e8f994d156147ead04c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
android-x64-20230831-en
Max time kernel
4239840s
Max time network
156s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json | N/A | N/A |
Processes
com.swift.wrap
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.133.18:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
| NL | 142.251.36.42:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
Files
/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 0219b6d26de9a569780bfc32d089ad79 |
| SHA1 | 9fceddb0f5081cc5766c9d45960d7a1a15ff68fe |
| SHA256 | 61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9 |
| SHA512 | a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e |
/data/data/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 3f3a4f6cd15e01e61d5661f8331c0a34 |
| SHA1 | 51c652dac5a7e722e80abff83ee2be3f964d789d |
| SHA256 | f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275 |
| SHA512 | f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8 |
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 3eb1657245e2ca6c42bbeafacf31f02a |
| SHA1 | b6b5ab7a1d86a3aca95133cda391d8e7cae42fae |
| SHA256 | 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2 |
| SHA512 | 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767 |
/data/data/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof
| MD5 | 7cde27ad64a58ae6c614a4c1c1e8bb0e |
| SHA1 | ac34e8bd866ee9090da0b476bb216026e7a501fb |
| SHA256 | ddd0101bc580f556e5e2bd6af10f96dad01ad5102680715ce63d1d00b8be12a3 |
| SHA512 | f933bcc4ec1f0264b852b7334a054499c94af6cc3fcb88b60f4d6471f688bcefad788e02b0f1407ce1c1c07fceb8353122475859ccd295947970450204e3702d |
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:03
Platform
android-x64-arm64-20230831-en
Max time kernel
4239862s
Max time network
159s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.swift.wrap
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.142:443 | tcp | |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 172.64.133.18:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.39.104:443 | ssl.google-analytics.com | tcp |
| NL | 142.251.36.10:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | eklimitonay.online | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
Files
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 0219b6d26de9a569780bfc32d089ad79 |
| SHA1 | 9fceddb0f5081cc5766c9d45960d7a1a15ff68fe |
| SHA256 | 61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9 |
| SHA512 | a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e |
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 3f3a4f6cd15e01e61d5661f8331c0a34 |
| SHA1 | 51c652dac5a7e722e80abff83ee2be3f964d789d |
| SHA256 | f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275 |
| SHA512 | f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8 |
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json
| MD5 | 3eb1657245e2ca6c42bbeafacf31f02a |
| SHA1 | b6b5ab7a1d86a3aca95133cda391d8e7cae42fae |
| SHA256 | 2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2 |
| SHA512 | 316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767 |
/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof
| MD5 | c67c80ebf9e52f29ca0fa1f2bfc43335 |
| SHA1 | 67e214f0393eb6481a4a53866c485ad67c6a3a2b |
| SHA256 | e9f317073732d5dc4c0408e1d1a83af57f83bfcefc4df550704abee2cec4aa10 |
| SHA512 | 51ee6d2cccf129ddd60b578ff7b02a1d15d527101dae11017f6fa031a3fba4934a1121672ab75a9cacf9a79b961dce1af81dc9fa354c688f4248bb8514c360a4 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win7-20230831-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win10v2004-20230915-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win7-20230831-en
Max time kernel
136s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000004c0ec347028075f66e4d4b49a2aa4a509aafdb87b5042312093f188bc54a8a9e000000000e80000000020000200000001e59ee08eff19d7e108acfdb610eabe90b7638cc260e8e2d11dad7d4729fe1772000000021216f4266fb7dbec92df779c13249732fa9444699a652b5a476910edb53677940000000c3cb55205a1a9d575c0697291482a4c97c9a178f1cd12264d6f838449fa63a135ecd8c7b495548f51da0e53e434f066f10c3521a019fd6ece97799a3d5911a06 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000ee54f521c8ea3dd8fc0a541d79af417f6d0560a87b327f9838c775598dde7450000000000e800000000200002000000072c1833b927177051984837a95cb3b18d74aa49f841220b39fe84cf6c31c4b109000000027559c6dd75e4cd0002f93436ca46b2255604a8ad1ff11f59f29245c4066bdcfe99f82afddb6005646ac42604b026511a7424d685dfe2761efa936560b430e3074f6b6516b1dc06da2f8b2ad6d29c4ace8fbf2eb635b2fb2eddf3c24969fd6e53854d8cdaa22dccfb9b35141de3db64ae61afa380ea74bdaaf06da12ade47b90b230f697a28381fd6c7b6c7511e2937140000000dcab4c619547cfe6442b53270ca4779af18e893ff9e1eded92178d7b5eb9589ef489a57299bfeb42a55e0b24fa1498f9ec96d1abe39095f04dd553217412ea35 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402618685" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66716A51-6301-11EE-8E84-7200988DF339} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e030f03b0ef7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 2160 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2216 wrote to memory of 2160 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2216 wrote to memory of 2160 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2216 wrote to memory of 2160 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5386c5cd42fcc012a1c21a1b45e489e0 |
| SHA1 | e9e5bdcd283a775a3c64a812429961475d889763 |
| SHA256 | 79498ea2a48f33e2e0a37780d76f9f45340e962928b80e053fd3ea1c7c18bb3e |
| SHA512 | d205dca5e39e7e4a70695a7a6f6121bf4d54732eff8a2207db0dc7a2583b541e448d973682a72ba787382624a791fd7a796daf19aa0d732d8385d5e21fc04144 |
C:\Users\Admin\AppData\Local\Temp\Cab5C54.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5C57.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c47f4b8a77a50516ffa1daf111a757fa |
| SHA1 | c821c4251304c31fe84d24ceb2c9d8a4e4fab10b |
| SHA256 | 1c2b27b341355cef55f4d2c72e580f3f9d91b9df4be29ce525cfbb2a00ab8abe |
| SHA512 | c221b8c2de78f292ef7cdae4fdc12e4e17090de41264fba966ff425c21b1afbe700693eebea57ef5599fdff8de4a166a74301316013bd9e0281e296b0c02a080 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64ed01a314394a2f4c1ca94f3995a468 |
| SHA1 | 17296cbb9c6f1e94412f830727e983598975c634 |
| SHA256 | 9e81d35e1e0a4d4db372de8928c338ba0e145083c2454aa5686e57384de4df17 |
| SHA512 | 89e0c4572d1a091ad47e1d2384a25f93d872342739b8ad08fbba40e7da9f64758c5bc6d52e2eec8833f64ebb97b1a3eb6ff5f1ae2826cafd1029526111110027 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 698ae35b5fcecc3e7e29023d24e79698 |
| SHA1 | 2f0c7198c21f2caf36793d84a53848b5d0f835b8 |
| SHA256 | a390d07201c589354b654c052ebe9be307705b2bf424040aedc9c957b9a79b08 |
| SHA512 | 846cf037b10bed875871bb4fc3e6b767b5ee37c80887d9b7be50788cfe3d03f0c3fb0b962184e967ebda065bb16daf60ea7a9bdcc7cded4c8753e57259909fb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 98ec963e8721decf13fc3e3fb6f2d289 |
| SHA1 | 2ac417fb3d5f7c942587c98fd052a0606022593d |
| SHA256 | 42a373115f467c9c2476d4fd738c348559cfdc6befe218e71688535b8df80a63 |
| SHA512 | bcbe1ce54ccff82ea0e6744d0d7674d0990de0d40d2c13c7562f48b744e76421a5c66f960580dede046172b6cdb9513e770fabed222f60801699dbeb707be232 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0878a87771d7596b23bbf7fdf4658bc |
| SHA1 | 6ecba3c790d9ef4e36cd9c8a2e118f9ad2e35fda |
| SHA256 | 93bce75330dbc39d20375097d5a21f2fded1fecaced0319de2e229f0fc0e9722 |
| SHA512 | 9bd3791288a56008bdcb9dea5576934666f730d0f00b5e955b804b17bf3eadcc597d2f973069cc1c50b3f56838b1bef0f4eee630ff0cd45975177eaf8ffa6c66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb7dcb6f8c42153cbe0e78ff7e8b7cd5 |
| SHA1 | 283e3f833ec986a9851b1363bf0f9b645f79fd07 |
| SHA256 | 96e961d0edd32a6a6c3e910933f479ac8fc6ecc7372140d68d344958d87faf21 |
| SHA512 | 8b8d972dd57d6673e9bdba500528f3825a96e3e212ad2c477af49c573094b72e112dffe81b93f0845118c43c4e708446d2d15aa1c1119b874c54f27e0501fd96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96c7faa8aece785d8be75ac4802f6af2 |
| SHA1 | 339796f90aaefcbcc0a59d2d3e6247a37d09fe13 |
| SHA256 | 2a573d94c771cb7c1cad9f262b6806f50b1affe886fbf49309d1a78e0991d686 |
| SHA512 | 9d527670ac1842da53eee2a11f0b1950fd7e69b0d63dc4f27e537e8c07d909d70f8545e79840bbcdd5b32488f3201599d52c6c8e93487433c3f57b28f1d8ae46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4317f7e9e55d369dd0e077259077167e |
| SHA1 | 257ea51e9213fed5a48115704a123c263b430602 |
| SHA256 | cf4046eab084e6eea20ff27068a73c880e8341703f21a331f4a91b0681e0c908 |
| SHA512 | b995b367d719eaba08e4bf5acdccfe59f79f9ef80e047c446161ca3adff2b8efd27d1876367aeb85ff5767ceb38e41d3dda6542e1f9ea859c0e3374181311405 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b55f50adc89e94ff784966ab26b4b4c |
| SHA1 | c75d9efd6c0efa15f636972893874d44f858dbc8 |
| SHA256 | 6b315fb4b5795e119518bca8c396c5adf57d3ce18ea80d39f1581445fa78e0f0 |
| SHA512 | ec09f67e2e8f2e354c7b7759d7b5849fcabd8d3a22f4145540884987198d5f60033cc56a403e3d82bac749b53009c32574f118fa21486ae482765d5ba752bbd4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c92159bb73304d53689c225a9d899984 |
| SHA1 | cf60eeea8f8ff1d536eca8cf60d1fd793438a8e2 |
| SHA256 | 93ac3c55844a957646dc4c76510ab649801015e3a478f55507cb79c0ba424527 |
| SHA512 | 58d258cd34bfb0aa6907f4fb9d2d2921b5642a8d370a1b28275ae4d6ebc1ef3434c6d532cea1ce9705272957e539b6ac255d8a50066a3657a0a145d27fdcd119 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 76e3d83452353dad75b088423a7bda90 |
| SHA1 | 365474e9d93f4539cbc861bb49c4b8d77203daf7 |
| SHA256 | 2b7fe8e138de539ae6e462e4396e5e16ada600dda5ad377fa5ee729dd76753aa |
| SHA512 | 6ee1c7b3038cb82a77062fac670828f08b3677a384f862d024918948eccff059e7be244371e290b2b846f3e20b88ef8250787783585e34c74beb73df4a7bb91e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d4b53229a50486db65f7de78eaa1b1b |
| SHA1 | b5ebe6128223d8406e8749df1fb76ed25292f9ee |
| SHA256 | 885519efd4db9f45459d1f9613fc562640d8d414a89afbd8c4b06a94d3631d32 |
| SHA512 | fb9edb7b955ca78bd5cfb29d061daf279919f643aadd7c906c87ba9eecd99112003f063c9d51846a9ff85fbd402e4f72692fb7fe216900ebadae9b8627f19ef3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a96f225a14b62e4f84b0af67f437d47b |
| SHA1 | a02d51f80b7ccadd867eef221f1fddb43445fcf2 |
| SHA256 | e540b3699dc45dcbc81b4a0884af09cd22fd6f19639a93a4e142f27a0adcb3dc |
| SHA512 | 6841a24facec3151040d2c52dd1709d0409c7bb2a187dbd344800aba389dfba6d9bed8a8d629186e8d56cfae4219d5c0a1686fd3cad153c397336e7fe9d245b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af24b0f5819db5c0038639b4f0e9084b |
| SHA1 | 5a2c63bd04922ba4d4fd6c7c9bbbbcf310ffae87 |
| SHA256 | c3d45cbc66ee5e899e4d09ed72c3c7521915ffacb29f052fa88cafc71d3a86cb |
| SHA512 | 2b13ec6162e37acb5f45dfaeae2be460948fa9c6777c594cc9cf4ab583865440b34da63d4e05b34b3c3a1d872c4726ffd51f1aa9bfce516354aa6fc7c5f9cfc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b5cb44a7fa71338c8bbba123bd33f14 |
| SHA1 | ca99a98fe0fa7f617d940d319f05609c583b3685 |
| SHA256 | c82b4a51996ec3c1833e99c9fa8c5083fc46cfbde4a34521d3f8dd7b30be1ade |
| SHA512 | 117def4520504329e372c3ed8975c9f3ef40a69330ba37bdd47919601e7d0cf387ca6d33c520cdaa52f10eab27ba10e86badd8a56f93c057695685e2399520e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a106d8505eae260b28a6163fca36607 |
| SHA1 | 38309ade26a351639b3b892a3b5a4d92432cacf9 |
| SHA256 | 36b3c702c5235e78065768a28d28271a3941af97ac173281ce31d119228235e5 |
| SHA512 | f269b9a2a8da87b311c34b074d868d3a750f7da79a9badb7e937b5e54a6e27849c66cd982472562fa4ee2c4540712bb44842710e5a337ff903faba505c2d68af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | f5a48b2bc037dd8880206bd0f4d9821f |
| SHA1 | cc8b497b0345d8f541c6687627dfd3f180369ce4 |
| SHA256 | 1bd0fe2b9eff1b027ba7189637e01ecf53f4e3ee2aeebb1a14948118e493773f |
| SHA512 | b2e542680c9d1e568e110db9eb87492677db89722c7b9f07a403181c954d49ed1e2b3a44255d93de3ff356f6faea4d53bf59d1a354a4aa679abc2fcd255c1a0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 996334a7d9e3177d462c050ca517ca7a |
| SHA1 | f1ffd28416e9c61fdc7119a93880bfcd453d66ab |
| SHA256 | 7baf374904bb62dcb3332b4814678644df6610fc1e36ddd0741aac8774d2dcb1 |
| SHA512 | 78d61ff3cb19c5e0e3e7a213b4fac06bb98d2c91bd15cf9633d1d506ca9e208fa22e683166fb64ff628df88cc380effc3aeab27e31a8ad358b44bd6dc109d962 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89499ea9346244ba1aee19604338a1cf |
| SHA1 | ef9b1e77fcf57fc3746c96c01632f4330b1a2aef |
| SHA256 | 71bfd78be3217231093a4f7155e50784236e0399f49ae2742c1a561c23669748 |
| SHA512 | 245ce1524c4a29f0577e6f9c34a5dad4cf42594d77058d432c53ca2a34acfe668aff9f3cba5b1a6f1b6d6da3cba97b523aba9c0395008fa8798d456060ceeaac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7dcca3fc5d636d8ec398e202fb0a4190 |
| SHA1 | d6f1f7fe8174cbde246b421beb78c34f72b64e88 |
| SHA256 | 6fff609a8fc250d0881d9964e1b645c838c9c6a113d0c4740ef0461bb801873a |
| SHA512 | 690152c287c93d88997f0234c8a092ea7aaf9f9522ce52155a38206cb93f1ea70120bee89e614ac8343631a778110e10d32bf606b950bb8646b8de9ea00af189 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76955ed0117a706721865a3ef62cd1df |
| SHA1 | 8d4c9ddfb1c06fedfa200202f7ac67968030f032 |
| SHA256 | 96d441b717966efabea47a1435be22e804c564a9ea2b6971f1ec92f8fc98cd8a |
| SHA512 | 47e2b03b221291dcecdc5c6223cc7c91c215f603a63c317c4a0fb00f576089e97ef70dad8d0278f6cb26d674f0173fb8dedb5c602966a177b10ef63035d91136 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed2e79aac14ed4f1aa8597a561623dee |
| SHA1 | c0ea8f8c7a1d141697eae55028fb8ebceb13b608 |
| SHA256 | 6c3c6a0e055eaf4fbe2f4a73d0cf5f2a8755126c3caab7235b64f65bbb38b1f8 |
| SHA512 | 198974dfb427198187cf03b006307032d9982c348ff5d9e91f301b513607a2f6f6e9279ec4ea89d889c20a0fff178ad0fe3a9a09aa290fd03409a312ed815894 |
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-04 22:00
Reported
2023-10-04 22:02
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{696C5CEF-6301-11EE-A4AD-DA9BDFB2881E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea900000000020000000000106600000001000020000000dda1ffe32faaa58987bfccd14e534b85dbea437578b2cfc0794d9ab1e36ab1d9000000000e8000000002000020000000fa7000423603cd822f261c5bb588d30a6b9ad4f1f2172af8a6c8950c98364cb42000000045022593b52bfd94ce3bbdf7551463bb2b730d12f1ef3f639e4994403ce679ee40000000e477ccedb81395a2f5f8053bf5418cad3a19be8c2b9abda07633697f2c69aff0e52ddb72847c06c7f8d2c3d70e979022a2fdd0b23c721e1b9facf1aa7a0f04f4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f058c33f0ef7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea9000000000200000000001066000000010000200000002c97c1882537a1d352040c1cff6b10c528bc14d33ca5cad7b7667bd76d5544e4000000000e8000000002000020000000bcb4f1d77174238492df4e3e28da245a5c29d42d06f4e322ce8125f1863dfd0420000000d25e72d56b533a1788263ad2fa4db4e6a4778cdda69e6a9b177c440a3aea72b8400000000b9ef4fcdf7585c9ac65669723af0303dcab6b9c4a1bd3bc19754d51c4515f6f32a7531478906416e1f061e0c502a35d6a634b0dd9da6a6099ab2e9bf0762657 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1043210677" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31061774" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1063523488" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31061774" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403221797" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1043210677" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2016ac410ef7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 3300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4468 wrote to memory of 3300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4468 wrote to memory of 3300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\24U7FPCO\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |